The University of Coimbra (UC) is a legal entity governed by public law, which performs a plurality of functions, conferred by law and regulations, within the fields of teaching, scientific research, dissemination of knowledge, science and culture, and which, due to the relations and articulations it establishes with society in the fulfillment of its mission, needs to treat citizens’ personal data.
The UC is committed to the six principles underlying the General Data Protection Regulation (GDPR), the Portuguese Data Protection Law and all other relevant standards relating to the protection of individuals’ rights and freedoms. Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The UC treats personal data for the purposes of management, administration, research, or other purposes required by law, as well as for the execution of statutory and regulatory requirements.
All processing of personal data by the UC comply with this Policy, with the guidance of the national supervisory authority - the Comissão Nacional de Proteção de Dados (National Data Protection Commission/CNPD), as well as the recommendations and guidance of the UC Data Protection Officer.
In accordance with Article 15 of the GDPR, the UC fully recognizes data subjects' "right of access" to any personal data and does not restrict such access except as provided by law. The UC also recognizes all the other rights granted to individuals under personal data protection legislation and are committed to meeting the requests of those wishing to exercise those rights.
 – Our commitment
i. Protect the security and privacy of personal data;
ii. Communicate transparently about the personal data we manage and under what conditions;
iii. Provide appropriate mechanisms for the exercise of the rights of data subjects;
iv. Respect the provisions of (EU) Regulation 2016/679 of the European Parliament and of the 27th April 2016 Council - GDPR - and other applicable legislation, including national legislation supplementing the GDPR.
All contents of this website, unless otherwise indicated, are owned by the UC and may not be reproduced or modified without its express permission, except in cases of free use, namely for teaching or research purposes or for personal use. In these cases their ownership shall be mentioned.
The guidelines, recommendations and information contained on our website aim a better understanding of data protection rules and may not under any circumstances, be used to create legal rights or expectations. Since these guidelines reflect the state of the art at the time of their preparation, they should be considered as an “evolutionary instrument” open to improvement and contents’ updating.
The access to the UC website implies full acceptance of the various notices contained therein, and that you agree to use the UC website lawfully and in no way cause any harm to the rights or interests of the UC or any third party.
By accessing this web site, users assume to know and accept the following terms and conditions, that we recommend reading.
 - Reservation of right of disposal
 - Responsible for the processing of personal data
For the purposes of GDPR Articles 4 and 24, the data controller is the UC, based in Paço das Escolas, 3004-531 Coimbra, since it is the entity that decides which data are collected, the material and human means used in the treatment, the storage period and their purpose.
 – Collection of personal data (object)
Data may be provided directly by the data subject, may be collected within the relationship established with the data subject and may also be requested and processed with the data subject's consent. The UC collects personal data in person, by telephone, in writing or through computer systems, including, in particular, when Users visit our website, subscribe to newsletters, respond to surveys, fill out forms or other features or resources available on the website. All data collected through forms contain their protection clauses, which comply with the provisions of the data protection regulations, and in all cases the UC only treats personal data deemed appropriate, relevant and not excessive, in order to comply with the specific, explicit and legitimate purposes for which they are intended.
 - Collection of personal data (types)
The UC, in the scope of its activities, collects and treats personal data, necessary for the accomplishment of its attributions, according to the terms of the Legal Regime of the Higher Education Institutions, Law no. 62/2007, September 10th (RJIES), of the Statutes (Normative Order No. 8/2019, of March 19th) and other legal and administrative obligations.
Accordingly, the collection and processing of personal data will be determined by the purposes underlying each of the UC's areas of activity, and the following categories of personal data will be collected and processed:
- Identification data, including image for the protection of people and assets;
- Family life data, social or financial circumstance;
- Education, training and employment data;
- Attendance and disciplinary data.
The processing of special category data is performed in limited circumstances, always in accordance with the law, and with the prior and explicit consent of their holders. This data may be:
- Racial or ethnic;
- Political opinions or trade union membership;
- Religious or philosophical beliefs;
- Sexual life or orientation;
- Health, genetic or biometric data for the purpose of person identification;
Respecting the principle of minimization, the personal data requested are those strictly necessary to comply with the legal provisions that the UC must comply with.
 – Processing of personal data (object)
The processing of personal data includes, but is not limited to, the collection, registration, consult, use, adaptation, alteration, storage and destruction of data.
 – Data processing (Information to be provided to the holder)
The information about the processing of personal data is provided to the data subject at the time of data collection or, if the personal data was obtained from another source, within a reasonable period of time, depending on the circumstances.
Given the diversity of situations that entail the collection and processing of personal data, at the time of collection, the UC provides the holder of the personal data detailed information on the use that will be made of the information, namely:
I. Unambiguous identification of the data controller and processor, if applicable.
II. DPO’s contact (EPD-UC).
III. The purpose(s) for which personal data are intended, as well as the legal basis for their processing.
Even if consent is not obtained, regardless of the lawfulness of the processing, the controller is obliged to inform about:
- The legal basis for the processing, including reference to the legitimate interests of the controller or of a third party, if based on Article 6 (1/f);
- Whether or not the communication of personal data constitutes a legal or contractual obligation or a necessary requirement to conclude a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data.
IV. The recipient(s) or categories of recipients of personal data (if applicable).
V. Identification of the data subject’s rights.
VI. The data retention period or the criteria used to define this period.
VII. Automated individual decision-making, including profiling.
VIII. The entities to whom the data may be communicated.
IX. The possibility of transferring data to third countries (outside the EEA).
X. Any additional information relevant for fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed.
- This legal information does not apply where the data subject is already aware of it;
- Where the controller intends to further process personal data for a purpose other than that for which the data were collected, the controller shall provide the data subject with information about that purpose and any other relevant information prior to such processing.
 – Processing of personal data (lawfulness)
The legal basis for the processing of personal data is based on the performance of a contract to which the data subject is a party (with the UC) or pre-contractual due diligence at the request of the data subject, as applicable. Thus, and in compliance with the GDPR recommendations, the processing of personal data depends on the verification of legitimacy conditions and verification of lawfulness, loyalty and transparency in relation to the data subject.
The processing is lawful if at least one of the following situations (GDPR paragraph 1, article 6) occur:
- the data subject has given prior consent – In certain cases, the UC will only process data if the data subject consents, for example, to the processing of “special categories” of data or personal data of minors (point. a));
- is necessary for the performance of a contract – the UC will process the data to comply with its contractual requirements in which the data subject is an interested party (point. b));
- is necessary for compliance with a legal obligation – in cases that the UC has a legal obligation to process or provide personal data to other entities, for example Ministry of Tutela (Guardianship) (point. c));
- is necessary in order to protect the vital interests of the data subject or of another person - in extreme circumstances, the UC may have to provide information to protect the interests of the holder or the interests of others, for example in medical emergencies (point. d));
- is necessary for the performance of a task carried out in the public interest or in the exercise of official authority – the UC is a teaching establishment and its educational activity, in particular, is conducted by the public interest (including its interest and the interest of others, point. e));
 - Processing of personal data (purposes)
The use of the collected data and its processing aims: the rendering of services to the holder; to provide support; to administer; to facilitate and manage the path of the data subject as a community member; to complement or support the missions of the institution and to meet the statutory and supervisory requests. It is also intended, with the prior consent of the holder, to provide information on products, services, marketing activities, campaigns, statistics and personalized content. Data processing is aimed at:
- Emergency situations;
- Research, investigation and archive;
- Granting direct and indirect social support;
- Promotion and dissemination of the UC activities;
- Official and regulatory reports, as well as accounting/financial reports;
- Administrative purposes, including academic, financial and human resource management, as well as administration of access to facilities or services and attendance;
- Higher Education Statistics Agencies and other entities with legal authority to process data relating to higher education matters, in Portugal or in the European Economic Area.
 - Security measures
As responsible for the processing of personal data and information, the UC ensures that it implements and promotes appropriate and effective technical and organizational measures to comply with data protection principles, with the aim of ensuring permanent confidentiality, integrity, availability and resilience of their processing systems and services.
The widespread use of computer systems for data processing does not exclude the possibility that under certain circumstances the UC will use other media for data collection and processing. In any case, the UC ensures administrative, technical and organizational measures against possible misuse or unauthorized access.
However, it is the responsibility of the users/holders to ensure and guarantee that their computers are adequately protected against harmful software, computer viruses and worms (self-replicating programs mostly for the purpose of uploading backdoors on computers). In addition, they should take other security measures such as the safe configuration of the navigation program or the use of software to create a security barrier.
 – Limitation of Liability
The UC reserves the right to adjust its website using conditions at any time and is not liable for any damages resulting from access to the website, even if they result from access to outdated contents or from virus contact by accessing different networks.
 - Cookies
 - Retention period of personal data
The retention period of personal data is that set by law or guidelines or, in its absence, it shall be the necessary period for the pursuit of the purpose that motivated its collection and processing, after which the personal data are deleted.
However, for the purpose of data processing for public interest archives, for scientific or historical research purposes or for statistical purposes, the UC may retain some of the data for longer periods, without prejudice to the application of the appropriate protection of the rights and data subject's freedoms, in accordance with the applicable law.
These guarantees imply the adoption of technical and organizational measures designed to ensure, among others, respect for the principle of data minimization and pseudonymisation.
 - Data subjects' rights of access, alteration and erasure ‘right to be forgotten’
Upon verification of the legally provided conditions, the UC guarantees to data subjects the right to access, update, rectify, delete, limit or opposition to the processing of personal data concerning them.
The right of access can be exercised through in-person contact, the contact indicated at the time of data collection or by e-mail epd(at)uc.pt.
 - Subcontractors and transfer of data to third parties
The UC, within its competence, may use subcontractors to provide services. When data processing is performed by a subcontractor or third party to whom data are transmitted, the UC shall verify if they provide guarantees on appropriate technical and organizational measures, so that the processing complies with the GDPR requirements and safeguards the data subject’s rights.
In these cases, the processing is regulated by contract or other normative instrument, which binds the subcontractor or the third party to the UC (data controller) guidelines, as the data controller entity. The contract with the subcontractor states:
- The data location;
- The nature and purpose of data processing;
- The obligations and rights of each party;
- Object definition and processing duration;
- Identification of the subcontractor's DPO, if applicable;
- The type of personal data and categories of the data subjects;
- Security and privacy measures, applicable European standards;
- The subcontracting conditions and the subcontractor's confidentiality policy;
- The densification of the subcontractor's obligations to notify personal data breaches;
- The provisions concerning the non-transfer of data to countries outside the EU, or, if the transfer is necessary, to invoke which are the suitability decisions pursuant to GDPR Articles 44 to 50 and points 101 to 116;
The UC is bound to law and administrative procedures and is therefore obliged to provide information to other entities, namely:
- Travel agencies;
- Professional entities;
- Research Institutions;
- Insurance companies;
- Other public institutions;
- Academic Association of Coimbra;*
- Higher Education Accreditation Entities;
- Partner universities for Erasmus program or equivalent;
- Organizations in the framework of Social Action in Higher Education;
- Magnum Consilium Veteranorum - Council of Veterans of the University of Coimbra;*
- Financing Agencies / Partner Institutions submitting applications for national or community funding.
*This transfer is without prejudice to the data subject's right to object.
When sharing personal information with one of these entities, the UC will take all necessary measures and/or actions to confirm that they will perform their duties in accordance with GDPR principles.
 - Data Protection Officer (DPO)
Pursuant to GDPR article 37, the UC has nominated a DPO who can be contacted by e-mail epd(at)uc.pt.
Among other functions, the DPO is responsible for:
- Monitoring the compliance of data processing according to the applicable standards;
- Being a point of contact for the clarification of issues related to data processing
- Cooperating with the CNPD as supervisory authority;
- Provide information and advise the UC, or subcontractors, on their privacy and data protection obligations.
 – Supervisory authority
The supervisory authority is the CNPD, located in Rua de São Bento n.º 148-3.º, 1200-821 Lisboa.
Data subjects under 18 years old
The processing of your personal data depends on the consent of your parents or legal representatives and preferably also on your consent. However, if you have already reached the age of 13 and if the processing of your data takes place exclusively in the context of information society services, your consent is sufficient, but please pay attention that in these cases you can, for example, give your consent to receive information about a product or services, but you cannot enter into contracts or commitments involving payments without the consent of your parents or legal representatives.
Now that you have read our commitment, be sure to lock the screen whenever you leave your computer.